Cloud-based endpoint security services are less mature than their on-premises counterparts, as illustrated in the first of this two-part series on evaluating cloud-based endpoint security functionality. Thus, it behooves an IT security organization to carefully consider its requirements before evaluating, choosing and implementing one.
For any but the smallest customer, flexibility and granularity of administration is an important element.
As we continue our exploration of cloud-based endpoint security services, we look at how vendors provide functionality for endpoint security management, based on The Tolly Group's recent experience building prototype deployments using services from five well-known cloud security vendors.
Cloud endpoint security: Administration delegation
Some, but not all, cloud-based endpoint security services allow for multiple administrative users and then subsequent delegation of control of certain groups to particular administrators. Some even allow a "read only" admin role that can monitor endpoint security but not change it.
For any but the smallest customer, flexibility and granularity of administration is an important element. If your organization wants to be able to delegate administrative responsibility to different people for different groups of endpoints, be certain to check that your prospective service providers for that.
Of course, what really counts is what the admin can do with the endpoint clients. We looked at a few varying functions to determine the depth of endpoint management.
Cloud endpoint security: Policy (group) control
Endpoints operate under rules that are typically defined in policy profiles. For our research, we attempted to build a policy with the following attributes: update signature file every four hours, run a full scan daily and exclude a specific file/directory from the antimalware scan. Surprisingly, not all of the cloud endpoint security services even allowed a policy to be configured with all of these attributes. For example, one service did not allow any changes to the update frequency for signature files or allow for exclusions. Other vendors' products can appear as if they don't support some functions as the default policy is often read-only. Thus, you will need to create a custom policy if you wish to make changes like those mentioned above.
The job of an anti-malware system is to detect and isolate known threats before they harm the endpoint. In general, the threats are quarantined for review by the security admin. Upon review, the admin will often delete actual threats and exclude any false positives so that the files will not be incorrectly quarantined by future scans. Surprisingly, not all the antimalware functions of endpoint security services that we have evaluated offer this functionality. Some simply appear to remove any file detected as a virus. This could be problematic for many organizations.
Similarly, we looked at what actions the admin could take when a file falsely identified as a virus was placed in quarantine. Because some of the services didn't even appear to have a quarantine, nothing could be done. Only one allowed the admin to automatically add the false positive to an exclusion list. For another, the only way to prevent the false positive was to go back to the policy in force for the endpoint and edit the policy manually to add an exclusion. (Not a major effort, but certainly a nuisance if the admin needs to deal with a large number of false positives.)
Cloud endpoint security: Managing individual endpoints
For the final part of our research, we looked at how we could interact with a specific endpoint in several ways.
Trigger on-demand scanning: If an endpoint is exhibiting strange behavior or a high number of threats, the security admin will certainly want to be able to trigger an on-demand scan of that particular endpoint. Surprisingly, one of the services that we evaluated did not even offer this function. Another allowed on-demand only at the group level. Thus, if a scan of a single endpoint is required, a new group must be created and that station reassigned to that group before the scan could be triggered. We had to wonder why the vendor didn't just provide an option for a single device? It would be hard to imagine avoiding some level of manual intervention on the part of the administrator.
From the Editors: More on cloud endpoint security
See Kevin Tolly's companion article: Cloud endpoint security considerations: Deployment, alerts and reports
Temporarily disable antimalware functionality: It is not uncommon for installation of certain programs to request that AV be disabled for the install. Similarly, certain types of troubleshooting on an endpoint can be simplified if the antimalware scanner can be removed temporarily from the equation. Thus, one would think that a management function to disable/enable antimalware on the endpoint would be broadly available. Think again. Of the five vendors' services that were part of our research, only one offered this capability. For the remaining ones, it appears that the only way to disable antimalware scanning is to uninstall it. This is likely to be a major ongoing stumbling block for many organizations.
Remote Wake on LAN: Dormant systems typically end up with outdated signature files and can fall behind on OS and application security patches. Since most systems will run this maintenance automatically when powered on, waking up dormant systems can be a useful function. Wake-on-LAN (WoL) functionality -- in which a so-called "magic packet" is sent to the LAN MAC address and triggers the power-on process for the computer -- can trigger the power on sequence across the network.
Within the scope of our research, only one of the five cloud endpoint security services offered WoL. Perhaps other antimalware vendors don't see that functionality as relevant to the threat-detection process, but it is certainly useful when checking the status of a system and/or making certain that a system has up-to-date patches and virus signatures.
Where the traditional on-premises endpoint security product market is a mature one, the same can't be said of cloud-based alternatives. With even basic functionality missing from some major players, organizations need to verify that requisite functions actually exist in the cloud provider offerings that they are considering. The good news is that cloud-service providers can improve their offerings easily and frequently since, after all, they reside in the cloud.
About the author:
Kevin Tolly is founder of The Tolly Group, which has been a leading provider of third-party validation/testing services for more than two decades.